aryma/Ares-mythic
1
0
Fork 0
mirror of https://github.com/Aryma-f4/Ares-mythic.git synced 2026-06-12 11:34:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(payload): rename apollo to ares and update documentation

Browse Source 
This commit renames the Apollo payload type to Ares, moving all associated files and updating documentation accordingly. The change includes:
- Renaming directories from `apollo` to `ares`
- Updating documentation image references
- Maintaining the same code functionality while changing the payload name
- Adding new Ares-specific documentation files
- Removing old Apollo documentation files

The rename is done to reflect the new payload name while preserving all existing functionality.
This commit is contained in:
Aryma
2026-04-14 14:02:44 +07:00
parent e14b1f21eb
commit 03d283cf49
753 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
documentation-payload/ares/contributing/apiresolvers.md Normal file
View File

@@ -0,0 +1,50 @@
+++
title = "Creating API Resolvers"
chapter = false
weight = 25
+++
## Creating a New API Resolver
New API resolvers must be a new .NET 4.0 Class library project under the Apollo solution. This new project should have a new class that follows the naming schema of `XxxxResolver` and inherits from the `IWin32ApiResolver` interface.
### IWin32ApiResolver
The `IWin32ApiResolver` must implement three functions (though only one of which is currently leveraged in the Apollo code base).
```
// The most important function to implement - used universally across the code base
T GetLibraryFunction<T>(
Library library,
string functionName,
bool canLoadFromDisk = true,
bool resolveForwards = true) where T : Delegate
T GetLibraryFunction<T>(
Library library,
short ordinal,
bool canLoadFromDisk = true,
bool resolveForwards = true) where T : Delegate
T GetLibraryFunction<T>(
Library library,
string functionHash,
long key,
bool canLoadFromDisk=true,
bool resolveForwards = true) where T : Delegate
```
For the uninitiated, `T` is a generic typing of `Delegate`, meaning that `T` defines an arbitrary function prototype that the API resolver should marshal the resolved function pointer to. For a simple example, we can define a delegate like `CloseHandle` as the following:
```
private delegate void CloseHandle(IntPtr Handle)
```
Then, using the resolver, you could do something like the following:
```
CloseHandle pCloseHandle = MyWin32ApiResolver.GetLibraryFunction<CloseHandle>(Library.KERNEL32, "CloseHandle")
```
Now, the variable `pCloseHandle` is a .NET function representing the `CloseHandle` native Win32 API call.
{{% notice info %}}
The implementation of GetLibraryFunction is truly only important in its first iteration where you specify the cleartext function name. The GetLibraryFunction overloads that use ordinals and function hashes exist as the DInvoke resolver leverages these parameters. If you choose not to implement them and simply raise an error, the agent will still function at this current junction (1/29/2022)
{{% /notice %}}